Re: CfC: Transition CSP2 to CR. from Brian Smith on 2015-02-09 (public-webappsec@w3.org from February 2015)

From: Brian Smith <brian@briansmith.org>
Date: Sun, 8 Feb 2015 20:15:35 -0800
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Ryan Sleevi <rsleevi@chromium.org>
Message-ID: <CAFewVt79XuxfzqbXn1W+GgpJxxT_YFAjLdE+uScjX+Xe7=xMOQ@mail.gmail.com>

[+rsleevi]

Francois Marier <francois@mozilla.com> wrote:
> On 06/02/15 21:25, Mike West wrote:
>> Any other issues folks have on their mind for CSP2?
>
> CSP2 recently added support for Base64url hashes citing parity with SRI
> as one of the reasons [1] for this change.
>
> Given that the final SRI spec may be moving away from URIs for encoding
> the hashes [2], and that CSP hashes are not URIs either, I was
> wondering: is there a reason to use a URL-safe encoding of Base64 as
> opposed to just regular base64?
>
> It's fairly trivial to support both in user agents, but it adds a small
> amount of complexity to both specs.
>
> I don't have a strong opinion on this, but I wanted to note that this
> decision will have an impact on what we do in the SRI spec too.

I think it is important for SRI, CSP, HPKP, and other HTTP security
mechanisms to use similar rules and syntax for things like this,
whenever practical, because consistency should result in better
usability for the (security) engineers trying to deploy these
features.

Also, I think when there are two possible ways to write something,
specifications should state a preference for one over the other, to
encourage tutorials and examples that are consistent with each other
and thus easier to understand.

In particular, CSP and SRI should specify a preference for base64
encoding over base64url encoding, and for identifying hashes without
the dash ("sha256" instead of "sha-256") since that's what HPKP
requires [1][2]. And, either CSP and SRI should remove or deprecate
the non-preferred forms, or HPKP should add support for them.

I'm guessing it is either too late for HPKP to be changed and/or it is
unlikely that the IETF would be willing to change HPKP to add support
for base64url or to support the with-dash syntaxes. So, I slightly
prefer dropping support for base64url encoding and for the with-dash
form of digest names.

Cheers,
Brian

[1] http://tools.ietf.org/html/draft-ietf-websec-key-pinning-21#section-2.1.1

Received on Monday, 9 February 2015 04:16:03 UTC